Re: recovery agent keys/certs

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 01/17/04 

Date: Fri, 16 Jan 2004 15:54:20 -0800

"Yes" to everything you asked, but here are my verbose answers:

1. Yes. To decrypt a file two things are needed a) read permissions (ACLs)
on the file and b) a certificate and private key of a user or recovery agent
on the file.

2. Recovery Policy is per-machine in a workgroup and is a machine policy set
per-GPO in a domain. By default Windows XP does not have a recovery policy.
By default, a domain will have one set in the "Default Domain Policy" but
not on other GPOs. "Workgroup" is misleading terminology that we're stuck
with now. It's probably better understood as "non-domain joined" because
policy isn't shared in a workgroup and must be set per-machine.

3. Yes. Create the recovery agent before users encrypt files so that you
guarantee that those files will have a recovery agent set on them, otherwise
it won't be applied until someone opens the file later. Export cert/key
pairs ASAP and put them in a safe place to avoid data loss. 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Neil" <me@home.com> wrote in message
news:bu9nn3$si9$1@otis.netspace.net.au...
> For those of us still grappling with EFS, am I correct to summarise as
> follows:
>
> 1.  Backing up EFS certificates (with private key) will allow for later
> decryption of encrypted files
> even if that users profile is destroyed, but only that users files will be
> decryptable?
>
> 2.  Creating a recovery agent is a per machine (workgroup?) setting,
> allowing recovery of all encrypted
> files on the machine (workgroup?) regardless of the profile used to
encrypt
> them in the first place?
>
> 3.  Creating a recovery agent and / or backing up EFS certificates should
be
> done prior to creating encrypted
> files?
>
> Thanks.
>
> Neil.
>
> "jerry" <anonymous@discussions.microsoft.com> wrote in message
> news:044101c3dbd4$1f41c6e0$a501280a@phx.gbl...
> > mgm,
> >
> >     I hope your goal to create a Recovery Agent is to
> > ensure recovery of future encrypted data & not past
> > encrypted data otherwise you may be in trouble-- just
> > though i'd add that in aswell, as you may have read "EFS
> > is very good at what it does & there are NO backdoors -
> > else it would be pointless"-- 
> >
> > BTW -- good points there drew-- i will be applying them to
> > my EFS practice..
> >
> > Jerry.
> > >-----Original Message-----
> > >Great overview!  I'd like to add a couple of points:
> > >- If you want to be especially secure you can
> > run "cipher /w" after you
> > >delete the .pfx file and empty the recycle bin.
> > (Otherwise a raw read of
> > >the volume could find the .pfx.)
> > >- After the new recovery agent is in place in group
> > policy have every user
> > >with encrypted files run "cipher /u".  The recovery agent
> > of any given file
> > >is updated when the file is opened.  "cipher /u" tries to
> > touch all the
> > >files on the machine, updating any that the user can open.
> > >-- 
> > >Drew Cooper [MSFT]
> > >This posting is provided "AS IS" with no warranties, and
> > confers no rights.
> > >
> > >
> > >"Jerry." <anonymous@discussions.microsoft.com> wrote in
> > message
> > >news:040801c3daff$85e970d0$a501280a@phx.gbl...
> > >> Hi,
> > >>
> > >>    Here is a link that should help you out-
> > >> http://www.pcstats.com/articleview.cfm?
> > >> articleid=1508&page=6
> > >>
> > >> In short,
> > >>
> > >> Creating a recovery agent:
> > >>
> > >> Decide which user you wish to use as a data-recovery
> > >> agent. It is recommended that you use the built
> > >> in 'administrator' account. Login as this account.
> > >>
> > >> Go to 'start\run' and type 'cmd' to bring up the command
> > >> prompt.
> > >>
> > >> Type 'cipher /r:(pick a filename) to create a digital
> > >> certificate for a recovery agent. You will be prompted
> > to
> > >> set a password. This creates two files in the 'my
> > >> documents' folder of the current user. Be aware that
> > these
> > >> files can be used by anyone to become a data-recovery
> > >> agent, so it is wise to remove them after we are
> > finished
> > >> this procedure.
> > >>
> > >> And by remove them I mean delete the files and empty out
> > >> the "recycle bin." This effectively clears the files
> > from
> > >> the computer, or you can manage the same result by
> > holding
> > >> down the 'shift key' as you delete the selected files.
> > >>
> > >> Go to 'start\run' and type certmgr.msc.
> > >>
> > >> On the 'file to import' page, click 'browse' then change
> > >> the 'files of type' dropdown box to .pfx files
> > >>
> > >> Select the filename you created with the 'cipher /r:'
> > >> command. Type the password.
> > >>
> > >> Check the 'mark this key as exportable' box.
> > >>
> > >> Click 'next.'
> > >>
> > >> Choose the 'Automatically Select The Certificate Store
> > >> Based On The Type Of Certificate' option.
> > >>
> > >> Click 'next,' then 'finish.'
> > >>
> > >> Close the certificates console.
> > >>
> > >> Go to 'start\run' and type 'secpol.msc' to open the
> > local
> > >> security policies.
> > >>
> > >> Navigate to 'Security Settings\Public Key
> > >> Policies\Encrypting File System,' and
> > >> Choose 'Action\Add Data Recovery Agent.' Click 'Next.'
> > >>
> > >>
> > >> Click 'browse folders.' Open the filename you created
> > >> earlier with the 'cipher'
> > >> command. Click 'next' then 'finish.' The current user is
> > >> now a data-recovery agent and
> > >> can decrypt any EFS encrypted files on the system
> > >>
> > >> -- Still check out the link as it provides you with
> > screen
> > >> shots ok, - i had troubles getting EFS to work when i
> > >> first started with it ..but believe me once u get it
> > >> working..its awesome..
> > >>
> > >> best of luck
> > >>
> > >> anonymous
> > >> >-----Original Message-----
> > >> >I've attempted to set up a recovery agent. The XP help
> > >> files talks about the
> > >> >mmc and exporting/importing these certificates/keys,
> > but
> > >> I can't find any
> > >> >referrence to actually creating or obtaining the
> > >> keys/certificates.  I'm the
> > >> >local computer admin and I need to recover an encrypted
> > >> file... Please tell
> > >> >me how to create the needed certs and keys.
> > >> >Thanks...
> > >> >mgm
> > >> >
> > >> >
> > >> >.
> > >> >
> > >
> > >
> > >.
> > >
>
>

Relevant Pages

  • Re: Event ID 6032
    ... see who is the recovery agent by opening the properties of an encrypted file ... decrypt the files by reversing the process in which you encrypted them. ... to encrypt, you should just be able to un-click the box to decrypt. ... and import the recovery agent certificate from the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Old My folder problem
    ... The help file does seem to suggest that a recovery agent ... can decrypt files even if the private key has been lost... ... >Did you actually encrypt the files? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Difficult Encryption Problem
    ... Does EFS encrypt your data using the public key, ... We encrypt your plain text data with various keys - these keys are then ... If you have a recovery agent we also then encrypt the key ring with its ... setting passwords on the local Administrator account it is too risky to ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Decrypting files without key or DRA after restoring Windows XP crash
    ... If you did not back-up the encryption key or the Recovery Agent and ... EFS is very good at what it does and there is no back door. ... > had not generated the key to decrypt them nor assigning DRA ... > (data recovery agent) as I had not prior knowledge of these ...
    (microsoft.public.windowsxp.security_admin)
  • Re: File/Folder Encryption
    ... You need to designate a Data Recovery Agent for your ... domain - this is a user account that can recover encrypted files in the ... I'm not 100% sure if SBS or Windows Server create a recovery agent by ... create a test directory and encrypt it. ...
    (microsoft.public.windows.server.sbs)